Merge pull request #1048 from fluxcd/restore-key-algorithm-default

Restore default key algorithm flag create source

cmd/flux/bootstrap.go

@@ -19,13 +19,11 @@ package main
 import (
 	"context"
 	"fmt"
-	"net/url"
 	"path/filepath"
 	"time"
 
 	"github.com/spf13/cobra"
 	corev1 "k8s.io/api/core/v1"
-	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	"k8s.io/apimachinery/pkg/types"
 	"k8s.io/apimachinery/pkg/util/wait"
 	"sigs.k8s.io/controller-runtime/pkg/client"
@@ -36,6 +34,7 @@ import (
 	"github.com/fluxcd/flux2/internal/flags"
 	"github.com/fluxcd/flux2/internal/utils"
 	"github.com/fluxcd/flux2/pkg/manifestgen/install"
+	kus "github.com/fluxcd/flux2/pkg/manifestgen/kustomization"
 	"github.com/fluxcd/flux2/pkg/manifestgen/sync"
 )
 
@@ -200,6 +199,7 @@ func generateSyncManifests(url, branch, name, namespace, targetPath, tmpDir stri
 		URL:          url,
 		Branch:       branch,
 		Interval:     interval,
+		Secret:       namespace,
 		TargetPath:   targetPath,
 		ManifestFile: sync.MakeDefaultOptions().ManifestFile,
 	}
@@ -214,9 +214,19 @@ func generateSyncManifests(url, branch, name, namespace, targetPath, tmpDir stri
 		return "", err
 	}
 	outputDir := filepath.Dir(output)
-	if err := utils.GenerateKustomizationYaml(outputDir); err != nil {
+
+	kusOpts := kus.MakeDefaultOptions()
+	kusOpts.BaseDir = tmpDir
+	kusOpts.TargetPath = filepath.Dir(manifest.Path)
+
+	kustomization, err := kus.Generate(kusOpts)
+	if err != nil {
 		return "", err
 	}
+	if _, err = kustomization.WriteFile(tmpDir); err != nil {
+		return "", err
+	}
+
 	return outputDir, nil
 }
 
@@ -269,35 +279,6 @@ func shouldCreateDeployKey(ctx context.Context, kubeClient client.Client, namesp
 	return false
 }
 
-func generateDeployKey(ctx context.Context, kubeClient client.Client, url *url.URL, namespace string) (string, error) {
-	pair, err := generateKeyPair(ctx, sourceGitArgs.keyAlgorithm, sourceGitArgs.keyRSABits, sourceGitArgs.keyECDSACurve)
-	if err != nil {
-		return "", err
-	}
-
-	hostKey, err := scanHostKey(ctx, url)
-	if err != nil {
-		return "", err
-	}
-
-	secret := corev1.Secret{
-		ObjectMeta: metav1.ObjectMeta{
-			Name:      namespace,
-			Namespace: namespace,
-		},
-		StringData: map[string]string{
-			"identity":     string(pair.PrivateKey),
-			"identity.pub": string(pair.PublicKey),
-			"known_hosts":  string(hostKey),
-		},
-	}
-	if err := upsertSecret(ctx, kubeClient, secret); err != nil {
-		return "", err
-	}
-
-	return string(pair.PublicKey), nil
-}
-
 func checkIfBootstrapPathDiffers(ctx context.Context, kubeClient client.Client, namespace string, path string) (string, bool) {
 	namespacedName := types.NamespacedName{
 		Name:      namespace,

cmd/flux/bootstrap_github.go

@@ -26,14 +26,14 @@ import (
 	"path/filepath"
 	"time"
 
+	"github.com/fluxcd/pkg/git"
 	"github.com/spf13/cobra"
 	corev1 "k8s.io/api/core/v1"
-	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
-
-	"github.com/fluxcd/pkg/git"
+	"sigs.k8s.io/yaml"
 
 	"github.com/fluxcd/flux2/internal/flags"
 	"github.com/fluxcd/flux2/internal/utils"
+	"github.com/fluxcd/flux2/pkg/manifestgen/sourcesecret"
 )
 
 var bootstrapGitHubCmd = &cobra.Command{
@@ -244,44 +244,48 @@ func bootstrapGitHubCmdRun(cmd *cobra.Command, args []string) error {
 		logger.Successf("install completed")
 	}
 
-	repoURL := repository.GetURL()
-
+	repoURL := repository.GetSSH()
+	secretOpts := sourcesecret.Options{
+		Name:      rootArgs.namespace,
+		Namespace: rootArgs.namespace,
+	}
 	if bootstrapArgs.tokenAuth {
-		// setup HTTPS token auth
-		secret := corev1.Secret{
-			ObjectMeta: metav1.ObjectMeta{
-				Name:      rootArgs.namespace,
-				Namespace: rootArgs.namespace,
-			},
-			StringData: map[string]string{
-				"username": "git",
-				"password": ghToken,
-			},
+		// Setup HTTPS token auth
+		repoURL = repository.GetURL()
+		secretOpts.Username = "git"
+		secretOpts.Password = ghToken
+	} else if shouldCreateDeployKey(ctx, kubeClient, rootArgs.namespace) {
+		// Setup SSH auth
+		u, err := url.Parse(repoURL)
+		if err != nil {
+			return fmt.Errorf("git URL parse failed: %w", err)
 		}
-		if err := upsertSecret(ctx, kubeClient, secret); err != nil {
+		secretOpts.SSHHostname = u.Hostname()
+		secretOpts.PrivateKeyAlgorithm = sourcesecret.RSAPrivateKeyAlgorithm
+		secretOpts.RSAKeyBits = 2048
+	}
+
+	secret, err := sourcesecret.Generate(secretOpts)
+	if err != nil {
+		return err
+	}
+	var s corev1.Secret
+	if err := yaml.Unmarshal([]byte(secret.Content), &s); err != nil {
+		return err
+	}
+	if len(s.StringData) > 0 {
+		logger.Actionf("configuring deploy key")
+		if err := upsertSecret(ctx, kubeClient, s); err != nil {
 			return err
 		}
-	} else {
-		// setup SSH deploy key
-		repoURL = repository.GetSSH()
-		if shouldCreateDeployKey(ctx, kubeClient, rootArgs.namespace) {
-			logger.Actionf("configuring deploy key")
-			u, err := url.Parse(repository.GetSSH())
-			if err != nil {
-				return fmt.Errorf("git URL parse failed: %w", err)
-			}
-
-			key, err := generateDeployKey(ctx, kubeClient, u, rootArgs.namespace)
-			if err != nil {
-				return fmt.Errorf("generating deploy key failed: %w", err)
-			}
 
+		if ppk, ok := s.StringData[sourcesecret.PublicKeySecretKey]; ok {
 			keyName := "flux"
 			if githubArgs.path != "" {
 				keyName = fmt.Sprintf("flux-%s", githubArgs.path)
 			}
 
-			if changed, err := provider.AddDeployKey(ctx, repository, key, keyName); err != nil {
+			if changed, err := provider.AddDeployKey(ctx, repository, ppk, keyName); err != nil {
 				return err
 			} else if changed {
 				logger.Successf("deploy key configured")

cmd/flux/bootstrap_gitlab.go

@@ -29,12 +29,13 @@ import (
 
 	"github.com/spf13/cobra"
 	corev1 "k8s.io/api/core/v1"
-	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	"sigs.k8s.io/yaml"
 
 	"github.com/fluxcd/pkg/git"
 
 	"github.com/fluxcd/flux2/internal/flags"
 	"github.com/fluxcd/flux2/internal/utils"
+	"github.com/fluxcd/flux2/pkg/manifestgen/sourcesecret"
 )
 
 var bootstrapGitLabCmd = &cobra.Command{
@@ -218,44 +219,48 @@ func bootstrapGitLabCmdRun(cmd *cobra.Command, args []string) error {
 		logger.Successf("install completed")
 	}
 
-	repoURL := repository.GetURL()
-
+	repoURL := repository.GetSSH()
+	secretOpts := sourcesecret.Options{
+		Name:      rootArgs.namespace,
+		Namespace: rootArgs.namespace,
+	}
 	if bootstrapArgs.tokenAuth {
-		// setup HTTPS token auth
-		secret := corev1.Secret{
-			ObjectMeta: metav1.ObjectMeta{
-				Name:      rootArgs.namespace,
-				Namespace: rootArgs.namespace,
-			},
-			StringData: map[string]string{
-				"username": "git",
-				"password": glToken,
-			},
+		// Setup HTTPS token auth
+		repoURL = repository.GetURL()
+		secretOpts.Username = "git"
+		secretOpts.Password = glToken
+	} else if shouldCreateDeployKey(ctx, kubeClient, rootArgs.namespace) {
+		// Setup SSH auth
+		u, err := url.Parse(repoURL)
+		if err != nil {
+			return fmt.Errorf("git URL parse failed: %w", err)
 		}
-		if err := upsertSecret(ctx, kubeClient, secret); err != nil {
+		secretOpts.SSHHostname = u.Hostname()
+		secretOpts.PrivateKeyAlgorithm = sourcesecret.RSAPrivateKeyAlgorithm
+		secretOpts.RSAKeyBits = 2048
+	}
+
+	secret, err := sourcesecret.Generate(secretOpts)
+	if err != nil {
+		return err
+	}
+	var s corev1.Secret
+	if err := yaml.Unmarshal([]byte(secret.Content), &s); err != nil {
+		return err
+	}
+	if len(s.StringData) > 0 {
+		logger.Actionf("configuring deploy key")
+		if err := upsertSecret(ctx, kubeClient, s); err != nil {
 			return err
 		}
-	} else {
-		// setup SSH deploy key
-		repoURL = repository.GetSSH()
-		if shouldCreateDeployKey(ctx, kubeClient, rootArgs.namespace) {
-			logger.Actionf("configuring deploy key")
-			u, err := url.Parse(repoURL)
-			if err != nil {
-				return fmt.Errorf("git URL parse failed: %w", err)
-			}
-
-			key, err := generateDeployKey(ctx, kubeClient, u, rootArgs.namespace)
-			if err != nil {
-				return fmt.Errorf("generating deploy key failed: %w", err)
-			}
 
+		if ppk, ok := s.StringData[sourcesecret.PublicKeySecretKey]; ok {
 			keyName := "flux"
 			if gitlabArgs.path != "" {
 				keyName = fmt.Sprintf("flux-%s", gitlabArgs.path)
 			}
 
-			if changed, err := provider.AddDeployKey(ctx, repository, key, keyName); err != nil {
+			if changed, err := provider.AddDeployKey(ctx, repository, ppk, keyName); err != nil {
 				return err
 			} else if changed {
 				logger.Successf("deploy key configured")

cmd/flux/completion_fish.go

@@ -25,13 +25,9 @@ import (
 var completionFishCmd = &cobra.Command{
 	Use:   "fish",
 	Short: "Generates fish completion scripts",
-	Example: `To load completion run
+	Example: `To configure your fish shell to load completions for each session write this script to your completions dir:
 
-. <(flux completion fish)
-
-To configure your fish shell to load completions for each session write this script to your completions dir:
-
-flux completion fish > ~/.config/fish/completions/flux
+flux completion fish > ~/.config/fish/completions/flux.fish
 
 See http://fishshell.com/docs/current/index.html#completion-own for more details
 `,

cmd/flux/create_kustomization.go

@@ -19,6 +19,7 @@ package main
 import (
 	"context"
 	"fmt"
+	"path/filepath"
 	"strings"
 	"time"
 
@@ -142,7 +143,7 @@ func createKsCmdRun(cmd *cobra.Command, args []string) error {
 			Interval: metav1.Duration{
 				Duration: createArgs.interval,
 			},
-			Path:  kustomizationArgs.path.String(),
+			Path:  filepath.ToSlash(kustomizationArgs.path.String()),
 			Prune: kustomizationArgs.prune,
 			SourceRef: kustomizev1.CrossNamespaceSourceReference{
 				Kind: kustomizationArgs.source.Kind,

cmd/flux/create_secret.go

@@ -18,15 +18,12 @@ package main
 
 import (
 	"context"
-	"fmt"
 
 	"github.com/spf13/cobra"
 	corev1 "k8s.io/api/core/v1"
 	"k8s.io/apimachinery/pkg/api/errors"
-	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	"k8s.io/apimachinery/pkg/types"
 	"sigs.k8s.io/controller-runtime/pkg/client"
-	"sigs.k8s.io/yaml"
 )
 
 var createSecretCmd = &cobra.Command{
@@ -39,23 +36,6 @@ func init() {
 	createCmd.AddCommand(createSecretCmd)
 }
 
-func makeSecret(name string) (corev1.Secret, error) {
-	secretLabels, err := parseLabels()
-	if err != nil {
-		return corev1.Secret{}, err
-	}
-
-	return corev1.Secret{
-		ObjectMeta: metav1.ObjectMeta{
-			Name:      name,
-			Namespace: rootArgs.namespace,
-			Labels:    secretLabels,
-		},
-		StringData: map[string]string{},
-		Data:       nil,
-	}, nil
-}
-
 func upsertSecret(ctx context.Context, kubeClient client.Client, secret corev1.Secret) error {
 	namespacedName := types.NamespacedName{
 		Namespace: secret.GetNamespace(),
@@ -81,19 +61,3 @@ func upsertSecret(ctx context.Context, kubeClient client.Client, secret corev1.S
 	}
 	return nil
 }
-
-func exportSecret(secret corev1.Secret) error {
-	secret.TypeMeta = metav1.TypeMeta{
-		APIVersion: "v1",
-		Kind:       "Secret",
-	}
-
-	data, err := yaml.Marshal(secret)
-	if err != nil {
-		return err
-	}
-
-	fmt.Println("---")
-	fmt.Println(resourceToString(data))
-	return nil
-}

cmd/flux/create_secret_git.go

@@ -20,15 +20,15 @@ import (
 	"context"
 	"crypto/elliptic"
 	"fmt"
-	"io/ioutil"
 	"net/url"
-	"time"
 
 	"github.com/spf13/cobra"
+	corev1 "k8s.io/api/core/v1"
+	"sigs.k8s.io/yaml"
 
 	"github.com/fluxcd/flux2/internal/flags"
 	"github.com/fluxcd/flux2/internal/utils"
-	"github.com/fluxcd/pkg/ssh"
+	"github.com/fluxcd/flux2/pkg/manifestgen/sourcesecret"
 )
 
 var createSecretGitCmd = &cobra.Command{
@@ -96,7 +96,7 @@ func init() {
 
 func NewSecretGitFlags() secretGitFlags {
 	return secretGitFlags{
-		keyAlgorithm: "rsa",
+		keyAlgorithm: flags.PublicKeyAlgorithm(sourcesecret.RSAPrivateKeyAlgorithm),
 		rsaBits:      2048,
 		ecdsaCurve:   flags.ECDSACurve{Curve: elliptic.P384()},
 	}
@@ -107,11 +107,6 @@ func createSecretGitCmdRun(cmd *cobra.Command, args []string) error {
 		return fmt.Errorf("secret name is required")
 	}
 	name := args[0]
-	secret, err := makeSecret(name)
-	if err != nil {
-		return err
-	}
-
 	if secretGitArgs.url == "" {
 		return fmt.Errorf("url is required")
 	}
@@ -121,96 +116,63 @@ func createSecretGitCmdRun(cmd *cobra.Command, args []string) error {
 		return fmt.Errorf("git URL parse failed: %w", err)
 	}
 
-	ctx, cancel := context.WithTimeout(context.Background(), rootArgs.timeout)
-	defer cancel()
-
-	switch u.Scheme {
-	case "ssh":
-		pair, err := generateKeyPair(ctx, secretGitArgs.keyAlgorithm, secretGitArgs.rsaBits, secretGitArgs.ecdsaCurve)
-		if err != nil {
-			return err
-		}
-
-		hostKey, err := scanHostKey(ctx, u)
-		if err != nil {
-			return err
-		}
-
-		secret.StringData = map[string]string{
-			"identity":     string(pair.PrivateKey),
-			"identity.pub": string(pair.PublicKey),
-			"known_hosts":  string(hostKey),
-		}
-
-		if !createArgs.export {
-			logger.Generatef("deploy key: %s", string(pair.PublicKey))
-		}
-	case "http", "https":
-		if secretGitArgs.username == "" || secretGitArgs.password == "" {
-			return fmt.Errorf("for Git over HTTP/S the username and password are required")
-		}
-
-		secret.StringData = map[string]string{
-			"username": secretGitArgs.username,
-			"password": secretGitArgs.password,
-		}
-
-		if secretGitArgs.caFile != "" {
-			ca, err := ioutil.ReadFile(secretGitArgs.caFile)
-			if err != nil {
-				return fmt.Errorf("failed to read CA file '%s': %w", secretGitArgs.caFile, err)
-			}
-			secret.StringData["caFile"] = string(ca)
-		}
-
-	default:
-		return fmt.Errorf("git URL scheme '%s' not supported, can be: ssh, http and https", u.Scheme)
-	}
-
-	if createArgs.export {
-		return exportSecret(secret)
-	}
-
-	kubeClient, err := utils.KubeClient(rootArgs.kubeconfig, rootArgs.kubecontext)
+	labels, err := parseLabels()
 	if err != nil {
 		return err
 	}
 
-	if err := upsertSecret(ctx, kubeClient, secret); err != nil {
+	opts := sourcesecret.Options{
+		Name:         name,
+		Namespace:    rootArgs.namespace,
+		Labels:       labels,
+		ManifestFile: sourcesecret.MakeDefaultOptions().ManifestFile,
+	}
+	switch u.Scheme {
+	case "ssh":
+		opts.SSHHostname = u.Hostname()
+		opts.PrivateKeyAlgorithm = sourcesecret.PrivateKeyAlgorithm(secretGitArgs.keyAlgorithm)
+		opts.RSAKeyBits = int(secretGitArgs.rsaBits)
+		opts.ECDSACurve = secretGitArgs.ecdsaCurve.Curve
+	case "http", "https":
+		if secretGitArgs.username == "" || secretGitArgs.password == "" {
+			return fmt.Errorf("for Git over HTTP/S the username and password are required")
+		}
+		opts.Username = secretGitArgs.username
+		opts.Password = secretGitArgs.password
+		opts.CAFilePath = secretGitArgs.caFile
+	default:
+		return fmt.Errorf("git URL scheme '%s' not supported, can be: ssh, http and https", u.Scheme)
+	}
+
+	secret, err := sourcesecret.Generate(opts)
+	if err != nil {
+		return err
+	}
+
+	if createArgs.export {
+		fmt.Println(secret.Content)
+		return nil
+	}
+
+	var s corev1.Secret
+	if err := yaml.Unmarshal([]byte(secret.Content), &s); err != nil {
+		return err
+	}
+
+	if ppk, ok := s.StringData[sourcesecret.PublicKeySecretKey]; ok {
+		logger.Generatef("deploy key: %s", ppk)
+	}
+
+	ctx, cancel := context.WithTimeout(context.Background(), rootArgs.timeout)
+	defer cancel()
+	kubeClient, err := utils.KubeClient(rootArgs.kubeconfig, rootArgs.kubecontext)
+	if err != nil {
+		return err
+	}
+	if err := upsertSecret(ctx, kubeClient, s); err != nil {
 		return err
 	}
 	logger.Actionf("secret '%s' created in '%s' namespace", name, rootArgs.namespace)
 
 	return nil
 }
-
-func generateKeyPair(ctx context.Context, alg flags.PublicKeyAlgorithm, rsa flags.RSAKeyBits, ecdsa flags.ECDSACurve) (*ssh.KeyPair, error) {
-	var keyGen ssh.KeyPairGenerator
-	switch algorithm := alg.String(); algorithm {
-	case "rsa":
-		keyGen = ssh.NewRSAGenerator(int(rsa))
-	case "ecdsa":
-		keyGen = ssh.NewECDSAGenerator(ecdsa.Curve)
-	case "ed25519":
-		keyGen = ssh.NewEd25519Generator()
-	default:
-		return nil, fmt.Errorf("unsupported public key algorithm: %s", algorithm)
-	}
-	pair, err := keyGen.Generate()
-	if err != nil {
-		return nil, fmt.Errorf("key pair generation failed, error: %w", err)
-	}
-	return pair, nil
-}
-
-func scanHostKey(ctx context.Context, url *url.URL) ([]byte, error) {
-	host := url.Host
-	if url.Port() == "" {
-		host = host + ":22"
-	}
-	hostKey, err := ssh.ScanHostKey(host, 30*time.Second)
-	if err != nil {
-		return nil, fmt.Errorf("SSH key scan for host %s failed, error: %w", host, err)
-	}
-	return hostKey, nil
-}

cmd/flux/create_secret_helm.go

@@ -21,8 +21,11 @@ import (
 	"fmt"
 
 	"github.com/spf13/cobra"
+	corev1 "k8s.io/api/core/v1"
+	"sigs.k8s.io/yaml"
 
 	"github.com/fluxcd/flux2/internal/utils"
+	"github.com/fluxcd/flux2/pkg/manifestgen/sourcesecret"
 )
 
 var createSecretHelmCmd = &cobra.Command{
@@ -30,8 +33,8 @@ var createSecretHelmCmd = &cobra.Command{
 	Short: "Create or update a Kubernetes secret for Helm repository authentication",
 	Long: `
 The create secret helm command generates a Kubernetes secret with basic authentication credentials.`,
-	Example: `    # Create a Helm authentication secret on disk and encrypt it with Mozilla SOPS
-
+	Example: `
+  # Create a Helm authentication secret on disk and encrypt it with Mozilla SOPS
   flux create secret helm repo-auth \
     --namespace=my-namespace \
     --username=my-username \
@@ -72,36 +75,45 @@ func createSecretHelmCmdRun(cmd *cobra.Command, args []string) error {
 		return fmt.Errorf("secret name is required")
 	}
 	name := args[0]
-	secret, err := makeSecret(name)
+
+	labels, err := parseLabels()
 	if err != nil {
 		return err
 	}
 
-	if secretHelmArgs.username != "" && secretHelmArgs.password != "" {
-		secret.StringData["username"] = secretHelmArgs.username
-		secret.StringData["password"] = secretHelmArgs.password
+	opts := sourcesecret.Options{
+		Name:         name,
+		Namespace:    rootArgs.namespace,
+		Labels:       labels,
+		Username:     secretHelmArgs.username,
+		Password:     secretHelmArgs.password,
+		CAFilePath:   secretHelmArgs.caFile,
+		CertFilePath: secretHelmArgs.certFile,
+		KeyFilePath:  secretHelmArgs.keyFile,
 	}
-
-	if err = populateSecretTLS(&secret, secretHelmArgs.secretTLSFlags); err != nil {
+	secret, err := sourcesecret.Generate(opts)
+	if err != nil {
 		return err
 	}
 
 	if createArgs.export {
-		return exportSecret(secret)
+		fmt.Println(secret.Content)
+		return nil
 	}
 
 	ctx, cancel := context.WithTimeout(context.Background(), rootArgs.timeout)
 	defer cancel()
-
 	kubeClient, err := utils.KubeClient(rootArgs.kubeconfig, rootArgs.kubecontext)
 	if err != nil {
 		return err
 	}
-
-	if err := upsertSecret(ctx, kubeClient, secret); err != nil {
+	var s corev1.Secret
+	if err := yaml.Unmarshal([]byte(secret.Content), &s); err != nil {
+		return err
+	}
+	if err := upsertSecret(ctx, kubeClient, s); err != nil {
 		return err
 	}
-	logger.Actionf("secret '%s' created in '%s' namespace", name, rootArgs.namespace)
 
 	return nil
 }

cmd/flux/create_secret_tls.go

@@ -19,13 +19,14 @@ package main
 import (
 	"context"
 	"fmt"
-	"io/ioutil"
 
 	"github.com/spf13/cobra"
 	"github.com/spf13/pflag"
 	corev1 "k8s.io/api/core/v1"
+	"sigs.k8s.io/yaml"
 
 	"github.com/fluxcd/flux2/internal/utils"
+	"github.com/fluxcd/flux2/pkg/manifestgen/sourcesecret"
 )
 
 var createSecretTLSCmd = &cobra.Command{
@@ -68,61 +69,48 @@ func init() {
 	createSecretCmd.AddCommand(createSecretTLSCmd)
 }
 
-func populateSecretTLS(secret *corev1.Secret, args secretTLSFlags) error {
-	if args.certFile != "" && args.keyFile != "" {
-		cert, err := ioutil.ReadFile(args.certFile)
-		if err != nil {
-			return fmt.Errorf("failed to read repository cert file '%s': %w", args.certFile, err)
-		}
-		secret.StringData["certFile"] = string(cert)
-
-		key, err := ioutil.ReadFile(args.keyFile)
-		if err != nil {
-			return fmt.Errorf("failed to read repository key file '%s': %w", args.keyFile, err)
-		}
-		secret.StringData["keyFile"] = string(key)
-	}
-
-	if args.caFile != "" {
-		ca, err := ioutil.ReadFile(args.caFile)
-		if err != nil {
-			return fmt.Errorf("failed to read repository CA file '%s': %w", args.caFile, err)
-		}
-		secret.StringData["caFile"] = string(ca)
-	}
-	return nil
-}
-
 func createSecretTLSCmdRun(cmd *cobra.Command, args []string) error {
 	if len(args) < 1 {
 		return fmt.Errorf("secret name is required")
 	}
 	name := args[0]
-	secret, err := makeSecret(name)
+
+	labels, err := parseLabels()
 	if err != nil {
 		return err
 	}
 
-	if err = populateSecretTLS(&secret, secretTLSArgs); err != nil {
+	opts := sourcesecret.Options{
+		Name:         name,
+		Namespace:    rootArgs.namespace,
+		Labels:       labels,
+		CAFilePath:   secretTLSArgs.caFile,
+		CertFilePath: secretTLSArgs.certFile,
+		KeyFilePath:  secretTLSArgs.keyFile,
+	}
+	secret, err := sourcesecret.Generate(opts)
+	if err != nil {
 		return err
 	}
 
 	if createArgs.export {
-		return exportSecret(secret)
+		fmt.Println(secret.Content)
+		return nil
 	}
 
 	ctx, cancel := context.WithTimeout(context.Background(), rootArgs.timeout)
 	defer cancel()
-
 	kubeClient, err := utils.KubeClient(rootArgs.kubeconfig, rootArgs.kubecontext)
 	if err != nil {
 		return err
 	}
-
-	if err := upsertSecret(ctx, kubeClient, secret); err != nil {
+	var s corev1.Secret
+	if err := yaml.Unmarshal([]byte(secret.Content), &s); err != nil {
+		return err
+	}
+	if err := upsertSecret(ctx, kubeClient, s); err != nil {
 		return err
 	}
-	logger.Actionf("secret '%s' created in '%s' namespace", name, rootArgs.namespace)
 
 	return nil
 }

cmd/flux/create_source_git.go

@@ -24,6 +24,8 @@ import (
 	"net/url"
 	"os"
 
+	"github.com/fluxcd/pkg/apis/meta"
+	sourcev1 "github.com/fluxcd/source-controller/api/v1beta1"
 	"github.com/manifoldco/promptui"
 	"github.com/spf13/cobra"
 	corev1 "k8s.io/api/core/v1"
@@ -33,12 +35,11 @@ import (
 	"k8s.io/apimachinery/pkg/types"
 	"k8s.io/apimachinery/pkg/util/wait"
 	"sigs.k8s.io/controller-runtime/pkg/client"
-
-	"github.com/fluxcd/pkg/apis/meta"
-	sourcev1 "github.com/fluxcd/source-controller/api/v1beta1"
+	"sigs.k8s.io/yaml"
 
 	"github.com/fluxcd/flux2/internal/flags"
 	"github.com/fluxcd/flux2/internal/utils"
+	"github.com/fluxcd/flux2/pkg/manifestgen/sourcesecret"
 )
 
 type sourceGitFlags struct {
@@ -121,7 +122,7 @@ func init() {
 
 func newSourceGitFlags() sourceGitFlags {
 	return sourceGitFlags{
-		keyAlgorithm:  "rsa",
+		keyAlgorithm:  flags.PublicKeyAlgorithm(sourcesecret.RSAPrivateKeyAlgorithm),
 		keyRSABits:    2048,
 		keyECDSACurve: flags.ECDSACurve{Curve: elliptic.P384()},
 	}
@@ -151,6 +152,9 @@ func createSourceGitCmdRun(cmd *cobra.Command, args []string) error {
 	if err != nil {
 		return fmt.Errorf("git URL parse failed: %w", err)
 	}
+	if u.Scheme != "ssh" && u.Scheme != "http" && u.Scheme != "https" {
+		return fmt.Errorf("git URL scheme '%s' not supported, can be: ssh, http and https", u.Scheme)
+	}
 
 	sourceLabels, err := parseLabels()
 	if err != nil {
@@ -184,12 +188,13 @@ func createSourceGitCmdRun(cmd *cobra.Command, args []string) error {
 		gitRepository.Spec.Reference.Branch = sourceGitArgs.branch
 	}
 
-	if createArgs.export {
-		if sourceGitArgs.secretRef != "" {
-			gitRepository.Spec.SecretRef = &meta.LocalObjectReference{
-				Name: sourceGitArgs.secretRef,
-			}
+	if sourceGitArgs.secretRef != "" {
+		gitRepository.Spec.SecretRef = &meta.LocalObjectReference{
+			Name: sourceGitArgs.secretRef,
 		}
+	}
+
+	if createArgs.export {
 		return exportGit(gitRepository)
 	}
 
@@ -201,91 +206,54 @@ func createSourceGitCmdRun(cmd *cobra.Command, args []string) error {
 		return err
 	}
 
-	withAuth := false
-	// TODO(hidde): move all auth prep to separate func?
-	if sourceGitArgs.secretRef != "" {
-		withAuth = true
-	} else if u.Scheme == "ssh" {
-		logger.Generatef("generating deploy key pair")
-		pair, err := generateKeyPair(ctx, sourceGitArgs.keyAlgorithm, sourceGitArgs.keyRSABits, sourceGitArgs.keyECDSACurve)
-		if err != nil {
-			return err
-		}
-
-		logger.Successf("deploy key: %s", pair.PublicKey)
-		prompt := promptui.Prompt{
-			Label:     "Have you added the deploy key to your repository",
-			IsConfirm: true,
-		}
-		if _, err := prompt.Run(); err != nil {
-			return fmt.Errorf("aborting")
-		}
-
-		logger.Actionf("collecting preferred public key from SSH server")
-		hostKey, err := scanHostKey(ctx, u)
-		if err != nil {
-			return err
-		}
-		logger.Successf("collected public key from SSH server:\n%s", hostKey)
-
-		logger.Actionf("applying secret with keys")
-		secret := corev1.Secret{
-			ObjectMeta: metav1.ObjectMeta{
-				Name:      name,
-				Namespace: rootArgs.namespace,
-				Labels:    sourceLabels,
-			},
-			StringData: map[string]string{
-				"identity":     string(pair.PrivateKey),
-				"identity.pub": string(pair.PublicKey),
-				"known_hosts":  string(hostKey),
-			},
-		}
-		if err := upsertSecret(ctx, kubeClient, secret); err != nil {
-			return err
-		}
-		withAuth = true
-	} else if sourceGitArgs.username != "" && sourceGitArgs.password != "" {
-		logger.Actionf("applying secret with basic auth credentials")
-		secret := corev1.Secret{
-			ObjectMeta: metav1.ObjectMeta{
-				Name:      name,
-				Namespace: rootArgs.namespace,
-				Labels:    sourceLabels,
-			},
-			StringData: map[string]string{
-				"username": sourceGitArgs.username,
-				"password": sourceGitArgs.password,
-			},
-		}
-
-		if sourceGitArgs.caFile != "" {
-			ca, err := ioutil.ReadFile(sourceGitArgs.caFile)
-			if err != nil {
-				return fmt.Errorf("failed to read CA file '%s': %w", sourceGitArgs.caFile, err)
-			}
-			secret.StringData["caFile"] = string(ca)
-		}
-
-		if err := upsertSecret(ctx, kubeClient, secret); err != nil {
-			return err
-		}
-		withAuth = true
-	}
-
-	if withAuth {
-		logger.Successf("authentication configured")
-	}
-
 	logger.Generatef("generating GitRepository source")
-
-	if withAuth {
-		secretName := name
-		if sourceGitArgs.secretRef != "" {
-			secretName = sourceGitArgs.secretRef
+	if sourceGitArgs.secretRef == "" {
+		secretOpts := sourcesecret.Options{
+			Name:         name,
+			Namespace:    rootArgs.namespace,
+			ManifestFile: sourcesecret.MakeDefaultOptions().ManifestFile,
 		}
-		gitRepository.Spec.SecretRef = &meta.LocalObjectReference{
-			Name: secretName,
+		switch u.Scheme {
+		case "ssh":
+			secretOpts.SSHHostname = u.Hostname()
+			secretOpts.PrivateKeyAlgorithm = sourcesecret.PrivateKeyAlgorithm(sourceGitArgs.keyAlgorithm)
+			secretOpts.RSAKeyBits = int(sourceGitArgs.keyRSABits)
+			secretOpts.ECDSACurve = sourceGitArgs.keyECDSACurve.Curve
+		case "https":
+			secretOpts.Username = sourceGitArgs.username
+			secretOpts.Password = sourceGitArgs.password
+			secretOpts.CAFilePath = sourceGitArgs.caFile
+		}
+		secret, err := sourcesecret.Generate(secretOpts)
+		if err != nil {
+			return err
+		}
+		var s corev1.Secret
+		if err = yaml.Unmarshal([]byte(secret.Content), &s); err != nil {
+			return err
+		}
+		if len(s.StringData) > 0 {
+			if hk, ok := s.StringData[sourcesecret.KnownHostsSecretKey]; ok {
+				logger.Successf("collected public key from SSH server:\n%s", hk)
+			}
+			if ppk, ok := s.StringData[sourcesecret.PublicKeySecretKey]; ok {
+				logger.Generatef("deploy key: %s", ppk)
+				prompt := promptui.Prompt{
+					Label:     "Have you added the deploy key to your repository",
+					IsConfirm: true,
+				}
+				if _, err := prompt.Run(); err != nil {
+					return fmt.Errorf("aborting")
+				}
+			}
+			logger.Actionf("applying secret with repository credentials")
+			if err := upsertSecret(ctx, kubeClient, s); err != nil {
+				return err
+			}
+			gitRepository.Spec.SecretRef = &meta.LocalObjectReference{
+				Name: s.Name,
+			}
+			logger.Successf("authentication configured")
 		}
 	}
 

cmd/flux/create_source_helm.go

@@ -32,10 +32,12 @@ import (
 	"k8s.io/apimachinery/pkg/types"
 	"k8s.io/apimachinery/pkg/util/wait"
 	"sigs.k8s.io/controller-runtime/pkg/client"
+	"sigs.k8s.io/yaml"
 
 	sourcev1 "github.com/fluxcd/source-controller/api/v1beta1"
 
 	"github.com/fluxcd/flux2/internal/utils"
+	"github.com/fluxcd/flux2/pkg/manifestgen/sourcesecret"
 )
 
 var createSourceHelmCmd = &cobra.Command{
@@ -149,46 +151,27 @@ func createSourceHelmCmdRun(cmd *cobra.Command, args []string) error {
 	logger.Generatef("generating HelmRepository source")
 	if sourceHelmArgs.secretRef == "" {
 		secretName := fmt.Sprintf("helm-%s", name)
-
-		secret := corev1.Secret{
-			ObjectMeta: metav1.ObjectMeta{
-				Name:      secretName,
-				Namespace: rootArgs.namespace,
-				Labels:    sourceLabels,
-			},
-			StringData: map[string]string{},
+		secretOpts := sourcesecret.Options{
+			Name:         secretName,
+			Namespace:    rootArgs.namespace,
+			Username:     sourceHelmArgs.username,
+			Password:     sourceHelmArgs.password,
+			CertFilePath: sourceHelmArgs.certFile,
+			KeyFilePath:  sourceHelmArgs.keyFile,
+			CAFilePath:   sourceHelmArgs.caFile,
+			ManifestFile: sourcesecret.MakeDefaultOptions().ManifestFile,
 		}
-
-		if sourceHelmArgs.username != "" && sourceHelmArgs.password != "" {
-			secret.StringData["username"] = sourceHelmArgs.username
-			secret.StringData["password"] = sourceHelmArgs.password
+		secret, err := sourcesecret.Generate(secretOpts)
+		if err != nil {
+			return err
 		}
-
-		if sourceHelmArgs.certFile != "" && sourceHelmArgs.keyFile != "" {
-			cert, err := ioutil.ReadFile(sourceHelmArgs.certFile)
-			if err != nil {
-				return fmt.Errorf("failed to read repository cert file '%s': %w", sourceHelmArgs.certFile, err)
-			}
-			secret.StringData["certFile"] = string(cert)
-
-			key, err := ioutil.ReadFile(sourceHelmArgs.keyFile)
-			if err != nil {
-				return fmt.Errorf("failed to read repository key file '%s': %w", sourceHelmArgs.keyFile, err)
-			}
-			secret.StringData["keyFile"] = string(key)
+		var s corev1.Secret
+		if err = yaml.Unmarshal([]byte(secret.Content), &s); err != nil {
+			return err
 		}
-
-		if sourceHelmArgs.caFile != "" {
-			ca, err := ioutil.ReadFile(sourceHelmArgs.caFile)
-			if err != nil {
-				return fmt.Errorf("failed to read repository CA file '%s': %w", sourceHelmArgs.caFile, err)
-			}
-			secret.StringData["caFile"] = string(ca)
-		}
-
-		if len(secret.StringData) > 0 {
+		if len(s.StringData) > 0 {
 			logger.Actionf("applying secret with repository credentials")
-			if err := upsertSecret(ctx, kubeClient, secret); err != nil {
+			if err := upsertSecret(ctx, kubeClient, s); err != nil {
 				return err
 			}
 			helmRepository.Spec.SecretRef = &meta.LocalObjectReference{

docs/cmd/flux_completion_fish.md

@@ -9,13 +9,9 @@ flux completion fish [flags]
 ### Examples
 
 ```
-To load completion run
-
-. <(flux completion fish)
-
 To configure your fish shell to load completions for each session write this script to your completions dir:
 
-flux completion fish > ~/.config/fish/completions/flux
+flux completion fish > ~/.config/fish/completions/flux.fish
 
 See http://fishshell.com/docs/current/index.html#completion-own for more details
 

docs/cmd/flux_create_secret_helm.md

@@ -14,8 +14,8 @@ flux create secret helm [name] [flags]
 ### Examples
 
 ```
-    # Create a Helm authentication secret on disk and encrypt it with Mozilla SOPS
 
+  # Create a Helm authentication secret on disk and encrypt it with Mozilla SOPS
   flux create secret helm repo-auth \
     --namespace=my-namespace \
     --username=my-username \

docs/faq/index.md

@@ -152,7 +152,8 @@ cd ./deploy/prod && kustomize create --autodetect --recursive
 
 ### What is the behavior of Kustomize used by Flux
 
-We referred to the Kustomization CLI flags here, so that you can replicate the same behavior using the CLI. The behavior of Kustomize used by the controller is currently configured as following:
+We referred to the Kustomization CLI flags here, so that you can replicate the same behavior using the CLI.
+The behavior of Kustomize used by the controller is currently configured as following:
 
 - `--allow_id_changes` is set to false, so it does not change any resource IDs.
 - `--enable_kyaml` is disabled by default, so it currently used `k8sdeps` to process YAMLs.
@@ -197,95 +198,76 @@ NAMESPACE  	NAME           	READY	MESSAGE
 default  	default-podinfo	False	no chart version found for podinfo-9.0.0
 ```
 
+### Can I use Flux HelmReleases without GitOps?
+
+Yes, you can install the Flux components directly on a cluster
+and manage Helm releases with `kubectl`.
+
+Install the controllers needed for Helm operations with `flux`:
+
+```sh
+flux install \
+--namespace=flux-system \
+--network-policy=false \
+--components=source-controller,helm-controller
+```
+
+Create a Helm release with `kubectl`:
+
+```sh
+cat << EOF | kubectl apply -f -
+---
+apiVersion: source.toolkit.fluxcd.io/v1beta1
+kind: HelmRepository
+metadata:
+  name: bitnami
+  namespace: flux-system
+spec:
+  interval: 30m
+  url: https://charts.bitnami.com/bitnami
+---
+apiVersion: helm.toolkit.fluxcd.io/v2beta1
+kind: HelmRelease
+metadata:
+  name: metrics-server
+  namespace: kube-system
+spec:
+  interval: 60m
+  releaseName: metrics-server
+  chart:
+    spec:
+      chart: metrics-server
+      version: "^5.x"
+      sourceRef:
+        kind: HelmRepository
+        name: bitnami
+        namespace: flux-system
+  values:
+    apiService:
+      create: true
+EOF
+```
+
+Based on the above definition, Flux will upgrade the release automatically
+when Bitnami publishes a new version of the metrics-server chart.
+
 ## Flux v1 vs v2 questions
 
-### What does Flux v2 mean for Flux?
+### What are the differences between v1 and v2?
 
-Flux v1 is a monolithic do-it-all operator; Flux v2 separates the functionalities into specialized controllers, collectively called the GitOps Toolkit.
+Flux v1 is a monolithic do-it-all operator;
+Flux v2 separates the functionalities into specialized controllers, collectively called the GitOps Toolkit.
 
-You can install and operate Flux v2 simply using the `flux` command. You can easily pick and choose the functionality you need and extend it to serve your own purposes.
+You can find a detailed comparison of Flux v1 and v2 features in the [migration FAQ](../guides/faq-migration.md).
 
-The timeline we are looking at right now is:
+### How can I migrate from v1 to v2?
 
-1. Put Flux v1 into maintenance mode (no new features being added; bugfixes and CVEs patched only).
-1. Continue work on the [Flux v2 roadmap](https://toolkit.fluxcd.io/roadmap/).
-1. We will provide transition guides for specific user groups, e.g. users of Flux v1 in read-only mode, or of Helm Operator v1, etc. once the functionality is integrated into Flux v2 and it's deemed "ready".
-1. Once the use-cases of Flux v1 are covered, we will continue supporting Flux v1 for 6 months. This will be the transition period before it's considered unsupported.
+The Flux community has created guides and example repositories
+to help you migrate to Flux v2:
 
-### Why did you rewrite Flux?
-
-Flux v2 implements its functionality in individual controllers, which allowed us to address long-standing feature requests much more easily.
-
-By basing these controllers on modern Kubernetes tooling (`controller-runtime` libraries), they can be dynamically configured with Kubernetes custom resources either by cluster admins or by other automated tools -- and you get greatly increased observability.
-
-This gave us the opportunity to build Flux v2 with the top Flux v1 feature requests in mind:
-
-- Supporting multiple source Git repositories
-- Operational insight through health checks, events and alerts
-- Multi-tenancy capabilities, like applying each source repository with its own set of permissions
-
-On top of that, testing the individual components and understanding the codebase becomes a lot easier.
-
-### What are significant new differences between Flux v1 and Flux v2?
-
-#### Reconciliation
-
-Flux v1                            | Flux v2
----------------------------------- | ----------------------------------
-Limited to a single Git repository | Multiple Git repositories
-Declarative config via arguments in the Flux deployment | `GitRepository` custom resource, which produces an artifact which can be reconciled by other controllers
-Follow `HEAD` of Git branches | Supports Git branches, pinning on commits and tags, follow SemVer tag ranges
-Suspending of reconciliation by downscaling Flux deployment | Reconciliation can be paused per resource by suspending the `GitRepository`
-Credentials config via Arguments and/or Secret volume mounts in the Flux pod | Credentials config per `GitRepository` resource: SSH private key, HTTP/S username/password/token, OpenPGP public keys
-
-#### `kustomize` support
-
-Flux v1                            | Flux v2
----------------------------------- | ----------------------------------
-Declarative config through `.flux.yaml` files in the Git repository | Declarative config through a `Kustomization` custom resource, consuming the artifact from the GitRepository
-Manifests are generated via shell exec and then reconciled by `fluxd` | Generation, server-side validation, and reconciliation is handled by a specialised `kustomize-controller`
-Reconciliation using the service account of the Flux deployment | Support for service account impersonation
-Garbage collection needs cluster role binding for Flux to query the Kubernetes discovery API | Garbage collection needs no cluster role binding or access to Kubernetes discovery API
-Support for custom commands and generators executed by fluxd in a POSIX shell | No support for custom commands
-
-#### Helm integration
-
-Flux v1                            | Flux v2
----------------------------------- | ----------------------------------
-Declarative config in a single Helm custom resource | Declarative config through `HelmRepository`, `GitRepository`, `Bucket`, `HelmChart` and `HelmRelease` custom resources
-Chart synchronisation embedded in the operator | Extensive release configuration options, and a reconciliation interval per source
-Support for fixed SemVer versions from Helm repositories | Support for SemVer ranges for `HelmChart` resources
-Git repository synchronisation on a global interval | Planned support for charts from GitRepository sources
-Limited observability via the status object of the HelmRelease resource | Better observability via the HelmRelease status object, Kubernetes events, and notifications
-Resource heavy, relatively slow | Better performance
-Chart changes from Git sources are determined from Git metadata | Chart changes must be accompanied by a version bump in `Chart.yaml` to produce a new artifact
-
-#### Notifications, webhooks, observability
-
-Flux v1                            | Flux v2
----------------------------------- | ----------------------------------
-Emits "custom Flux events" to a webhook endpoint | Emits Kubernetes events for included custom resources
-RPC endpoint can be configured to a 3rd party solution like FluxCloud to be forwarded as notifications to e.g. Slack | Flux v2 components can be configured to POST the events to a `notification-controller` endpoint. Selective forwarding of POSTed events as notifications using `Provider` and `Alert` custom resources.
-Webhook receiver is a side-project | Webhook receiver, handling a wide range of platforms, is included
-Unstructured logging | Structured logging for all components
-Custom Prometheus metrics | Generic / common `controller-runtime` Prometheus metrics
-
-### How can I get involved?
-
-There are a variety of ways and we look forward to having you on board building the future of GitOps together:
-
-- [Discuss the direction](https://github.com/fluxcd/flux2/discussions) of Flux v2 with us
-- Join us in #flux-dev on the [CNCF Slack](https://slack.cncf.io)
-- Check out our [contributor docs](https://toolkit.fluxcd.io/contributing/)
-- Take a look at the [roadmap for Flux v2](https://toolkit.fluxcd.io/roadmap/)
-
-### Are there any breaking changes?
-
-- In Flux v1 Kustomize support was implemented through `.flux.yaml` files in the Git repository. As indicated in the comparison table above, while this approach worked, we found it to be error-prone and hard to debug. The new [Kustomization CR](https://github.com/fluxcd/kustomize-controller/blob/master/docs/spec/v1alpha1/kustomization.md) should make troubleshooting much easier. Unfortunately we needed to drop the support for custom commands as running arbitrary shell scripts in-cluster poses serious security concerns.
-- Helm users: we redesigned the `HelmRelease` API and the automation will work quite differently, so upgrading to `HelmRelease` v2 will require a little work from you, but you will gain more flexibility, better observability and performance.
-
-### Is the GitOps Toolkit related to the GitOps Engine?
-
-In an announcement in August 2019, the expectation was set that the Flux project would integrate the GitOps Engine, then being factored out of ArgoCD. Since the result would be backward-incompatible, it would require a major version bump: Flux v2.
-
-After experimentation and considerable thought, we (the maintainers) have found a path to Flux v2 that we think better serves our vision of GitOps: the GitOps Toolkit. In consequence, we do not now plan to integrate GitOps Engine into Flux.
+- [Migrate from Flux v1](https://toolkit.fluxcd.io/guides/flux-v1-migration/)
+- [Migrate from `.flux.yaml` and kustomize](https://toolkit.fluxcd.io/guides/flux-v1-migration/#flux-with-kustomize)
+- [Migrate from Flux v1 automated container image updates](https://toolkit.fluxcd.io/guides/flux-v1-automation-migration/)
+- [How to manage multi-tenant clusters with Flux v2](https://github.com/fluxcd/flux2-multi-tenancy)
+- [Migrate from Helm Operator to Flux v2](https://toolkit.fluxcd.io/guides/helm-operator-migration/)
+- [How to structure your HelmReleases](https://github.com/fluxcd/flux2-kustomize-helm-example)

docs/guides/faq-migration.md

@@ -0,0 +1,92 @@
+## Flux v1 vs v2 questions
+
+### What does Flux v2 mean for Flux?
+
+Flux v1 is a monolithic do-it-all operator; Flux v2 separates the functionalities into specialized controllers, collectively called the GitOps Toolkit.
+
+You can install and operate Flux v2 simply using the `flux` command. You can easily pick and choose the functionality you need and extend it to serve your own purposes.
+
+The timeline we are looking at right now is:
+
+1. Put Flux v1 into maintenance mode (no new features being added; bugfixes and CVEs patched only).
+1. Continue work on the [Flux v2 roadmap](https://toolkit.fluxcd.io/roadmap/).
+1. We will provide transition guides for specific user groups, e.g. users of Flux v1 in read-only mode, or of Helm Operator v1, etc. once the functionality is integrated into Flux v2 and it's deemed "ready".
+1. Once the use-cases of Flux v1 are covered, we will continue supporting Flux v1 for 6 months. This will be the transition period before it's considered unsupported.
+
+### Why did you rewrite Flux?
+
+Flux v2 implements its functionality in individual controllers, which allowed us to address long-standing feature requests much more easily.
+
+By basing these controllers on modern Kubernetes tooling (`controller-runtime` libraries), they can be dynamically configured with Kubernetes custom resources either by cluster admins or by other automated tools -- and you get greatly increased observability.
+
+This gave us the opportunity to build Flux v2 with the top Flux v1 feature requests in mind:
+
+- Supporting multiple source Git repositories
+- Operational insight through health checks, events and alerts
+- Multi-tenancy capabilities, like applying each source repository with its own set of permissions
+
+On top of that, testing the individual components and understanding the codebase becomes a lot easier.
+
+### What are significant new differences between Flux v1 and Flux v2?
+
+#### Reconciliation
+
+Flux v1                            | Flux v2
+---------------------------------- | ----------------------------------
+Limited to a single Git repository | Multiple Git repositories
+Declarative config via arguments in the Flux deployment | `GitRepository` custom resource, which produces an artifact which can be reconciled by other controllers
+Follow `HEAD` of Git branches | Supports Git branches, pinning on commits and tags, follow SemVer tag ranges
+Suspending of reconciliation by downscaling Flux deployment | Reconciliation can be paused per resource by suspending the `GitRepository`
+Credentials config via Arguments and/or Secret volume mounts in the Flux pod | Credentials config per `GitRepository` resource: SSH private key, HTTP/S username/password/token, OpenPGP public keys
+
+#### `kustomize` support
+
+Flux v1                            | Flux v2
+---------------------------------- | ----------------------------------
+Declarative config through `.flux.yaml` files in the Git repository | Declarative config through a `Kustomization` custom resource, consuming the artifact from the GitRepository
+Manifests are generated via shell exec and then reconciled by `fluxd` | Generation, server-side validation, and reconciliation is handled by a specialised `kustomize-controller`
+Reconciliation using the service account of the Flux deployment | Support for service account impersonation
+Garbage collection needs cluster role binding for Flux to query the Kubernetes discovery API | Garbage collection needs no cluster role binding or access to Kubernetes discovery API
+Support for custom commands and generators executed by fluxd in a POSIX shell | No support for custom commands
+
+#### Helm integration
+
+Flux v1                            | Flux v2
+---------------------------------- | ----------------------------------
+Declarative config in a single Helm custom resource | Declarative config through `HelmRepository`, `GitRepository`, `Bucket`, `HelmChart` and `HelmRelease` custom resources
+Chart synchronisation embedded in the operator | Extensive release configuration options, and a reconciliation interval per source
+Support for fixed SemVer versions from Helm repositories | Support for SemVer ranges for `HelmChart` resources
+Git repository synchronisation on a global interval | Planned support for charts from GitRepository sources
+Limited observability via the status object of the HelmRelease resource | Better observability via the HelmRelease status object, Kubernetes events, and notifications
+Resource heavy, relatively slow | Better performance
+Chart changes from Git sources are determined from Git metadata | Chart changes must be accompanied by a version bump in `Chart.yaml` to produce a new artifact
+
+#### Notifications, webhooks, observability
+
+Flux v1                            | Flux v2
+---------------------------------- | ----------------------------------
+Emits "custom Flux events" to a webhook endpoint | Emits Kubernetes events for included custom resources
+RPC endpoint can be configured to a 3rd party solution like FluxCloud to be forwarded as notifications to e.g. Slack | Flux v2 components can be configured to POST the events to a `notification-controller` endpoint. Selective forwarding of POSTed events as notifications using `Provider` and `Alert` custom resources.
+Webhook receiver is a side-project | Webhook receiver, handling a wide range of platforms, is included
+Unstructured logging | Structured logging for all components
+Custom Prometheus metrics | Generic / common `controller-runtime` Prometheus metrics
+
+### Are there any breaking changes?
+
+- In Flux v1 Kustomize support was implemented through `.flux.yaml` files in the Git repository. As indicated in the comparison table above, while this approach worked, we found it to be error-prone and hard to debug. The new [Kustomization CR](https://github.com/fluxcd/kustomize-controller/blob/master/docs/spec/v1alpha1/kustomization.md) should make troubleshooting much easier. Unfortunately we needed to drop the support for custom commands as running arbitrary shell scripts in-cluster poses serious security concerns.
+- Helm users: we redesigned the `HelmRelease` API and the automation will work quite differently, so upgrading to `HelmRelease` v2 will require a little work from you, but you will gain more flexibility, better observability and performance.
+
+### Is the GitOps Toolkit related to the GitOps Engine?
+
+In an announcement in August 2019, the expectation was set that the Flux project would integrate the GitOps Engine, then being factored out of ArgoCD. Since the result would be backward-incompatible, it would require a major version bump: Flux v2.
+
+After experimentation and considerable thought, we (the maintainers) have found a path to Flux v2 that we think better serves our vision of GitOps: the GitOps Toolkit. In consequence, we do not now plan to integrate GitOps Engine into Flux.
+
+### How can I get involved?
+
+There are a variety of ways and we look forward to having you on board building the future of GitOps together:
+
+- [Discuss the direction](https://github.com/fluxcd/flux2/discussions) of Flux v2 with us
+- Join us in #flux-dev on the [CNCF Slack](https://slack.cncf.io)
+- Check out our [contributor docs](https://toolkit.fluxcd.io/contributing/)
+- Take a look at the [roadmap for Flux v2](https://toolkit.fluxcd.io/roadmap/)

docs/guides/flux-v1-migration.md

@@ -1,7 +1,7 @@
 # Migrate from Flux v1 to v2
 
 This guide walks you through migrating from Flux v1 to v2.
-Read the [FAQ](../faq/index.md) to find out what differences are between v1 and v2.
+Read the [FAQ](faq-migration.md) to find out what differences are between v1 and v2.
 
 !!! info "Automated image updates"
     The image automation feature is under development in Flux v2.
@@ -125,7 +125,6 @@ Install Flux v2 in the `flux-system` namespace:
 
 ```console
 $ flux install \
-  --arch=amd64 \
   --network-policy=true \
   --watch-all-namespaces=true \
   --namespace=flux-system
@@ -243,7 +242,7 @@ Configure the reconciliation of the `prod` overlay on your cluster:
 
 ```sh
 flux create kustomization app \
-  --source=app \
+  --source=GitRepository/app \
   --path="./overlays/prod" \
   --prune=true \
   --interval=10m

docs/guides/helm-operator-migration.md

@@ -773,6 +773,12 @@ Probably, but with some side notes:
 1. It is still under active development, and while our focus has been to stabilize the API as much as we can during the first development phase, we do not guarantee there will not be any breaking changes before we reach General Availability. We are however committed to provide [conversion webhooks](https://kubernetes.io/docs/tasks/extend-kubernetes/custom-resources/custom-resource-definition-versioning/#webhook-conversion) for upcoming API versions.
 1. There may be (internal) behavioral changes in upcoming releases, but they should be aimed at further stabilizing the Helm Controller itself, solving edge case issues, providing better logging, observability, and/or other improvements.
 
+### Can I use Helm Controller standalone?
+
+Helm Controller depends on [Source Controller](../components/source/controller.md), you can install both controllers
+and manager Helm releases in a declarative way without GitOps.
+For more details please see this [answer](../faq/index.md#can-i-use-flux-helmreleases-without-gitops).
+
 ### I have another question
 
 Given the amount of changes, it is quite possible that this document did not provide you with a clear answer for you specific setup. If this applies to you, do not hestitate to ask for help in the [GitHub Discussions](https://github.com/fluxcd/flux2/discussions/new?category_id=31999889) or on the [`#flux` CNCF Slack channel](https://slack.cncf.io)!

go.mod

@@ -5,7 +5,7 @@ go 1.16
 require (
 	github.com/Masterminds/semver/v3 v3.1.0
 	github.com/cyphar/filepath-securejoin v0.2.2
-	github.com/fluxcd/helm-controller/api v0.8.0
+	github.com/fluxcd/helm-controller/api v0.8.1
 	github.com/fluxcd/image-automation-controller/api v0.6.1
 	github.com/fluxcd/image-reflector-controller/api v0.7.0
 	github.com/fluxcd/kustomize-controller/api v0.9.1
@@ -22,6 +22,7 @@ require (
 	github.com/olekukonko/tablewriter v0.0.4
 	github.com/spf13/cobra v1.1.1
 	github.com/spf13/pflag v1.0.5
+	golang.org/x/crypto v0.0.0-20201002170205-7f63de1d35b0
 	k8s.io/api v0.20.2
 	k8s.io/apiextensions-apiserver v0.20.2
 	k8s.io/apimachinery v0.20.2

go.sum

@@ -188,8 +188,8 @@ github.com/evanphx/json-patch/v5 v5.1.0/go.mod h1:G79N1coSVB93tBe7j6PhzjmR3/2Vvl
 github.com/exponent-io/jsonpath v0.0.0-20151013193312-d6023ce2651d/go.mod h1:ZZMPRZwes7CROmyNKgQzC3XPs6L/G2EJLHddWejkmf4=
 github.com/fatih/camelcase v1.0.0/go.mod h1:yN2Sb0lFhZJUdVvtELVWefmrXpuZESvPmqwoZc+/fpc=
 github.com/fatih/color v1.7.0/go.mod h1:Zm6kSWBoL9eyXnKyktHP6abPY2pDugNf5KwzbycvMj4=
-github.com/fluxcd/helm-controller/api v0.8.0 h1:1P9GmneUbTVnKeEt/VJpr69YJfhh67EXqCcFhseJ8JA=
-github.com/fluxcd/helm-controller/api v0.8.0/go.mod h1:cFceNc/mOBa+Qi3NE8NDY2w3FAEectauTm8c10mcBis=
+github.com/fluxcd/helm-controller/api v0.8.1 h1:AEmw/xaRi2y9lD6TB+2w1Govj7OhD5oxoDx6HGty1yM=
+github.com/fluxcd/helm-controller/api v0.8.1/go.mod h1:cFceNc/mOBa+Qi3NE8NDY2w3FAEectauTm8c10mcBis=
 github.com/fluxcd/image-automation-controller/api v0.6.1 h1:LgjjNYXrVojfgjit37GA0SDYre3AaDabYzT7L6lWO7I=
 github.com/fluxcd/image-automation-controller/api v0.6.1/go.mod h1:8Q/baOONPrSJFMq7+zxp/t2WGrqVFRUx4HnTrg37pNE=
 github.com/fluxcd/image-reflector-controller/api v0.7.0 h1:Mlu9ybrL+MtWcaIex4+FOcYuk+0vA/7bYj8MxVvLR1A=

internal/utils/utils.go

@@ -22,7 +22,6 @@ import (
 	"context"
 	"fmt"
 	"io"
-	"io/ioutil"
 	"os"
 	"os/exec"
 	"path/filepath"
@@ -30,6 +29,14 @@ import (
 	"strings"
 	"text/template"
 
+	helmv2 "github.com/fluxcd/helm-controller/api/v2beta1"
+	imageautov1 "github.com/fluxcd/image-automation-controller/api/v1alpha1"
+	imagereflectv1 "github.com/fluxcd/image-reflector-controller/api/v1alpha1"
+	kustomizev1 "github.com/fluxcd/kustomize-controller/api/v1beta1"
+	notificationv1 "github.com/fluxcd/notification-controller/api/v1beta1"
+	"github.com/fluxcd/pkg/runtime/dependency"
+	"github.com/fluxcd/pkg/version"
+	sourcev1 "github.com/fluxcd/source-controller/api/v1beta1"
 	"github.com/olekukonko/tablewriter"
 	appsv1 "k8s.io/api/apps/v1"
 	corev1 "k8s.io/api/core/v1"
@@ -40,20 +47,6 @@ import (
 	"k8s.io/client-go/rest"
 	"k8s.io/client-go/tools/clientcmd"
 	"sigs.k8s.io/controller-runtime/pkg/client"
-	"sigs.k8s.io/kustomize/api/filesys"
-	"sigs.k8s.io/kustomize/api/k8sdeps/kunstruct"
-	"sigs.k8s.io/kustomize/api/konfig"
-	kustypes "sigs.k8s.io/kustomize/api/types"
-	"sigs.k8s.io/yaml"
-
-	helmv2 "github.com/fluxcd/helm-controller/api/v2beta1"
-	imageautov1 "github.com/fluxcd/image-automation-controller/api/v1alpha1"
-	imagereflectv1 "github.com/fluxcd/image-reflector-controller/api/v1alpha1"
-	kustomizev1 "github.com/fluxcd/kustomize-controller/api/v1beta1"
-	notificationv1 "github.com/fluxcd/notification-controller/api/v1beta1"
-	"github.com/fluxcd/pkg/runtime/dependency"
-	"github.com/fluxcd/pkg/version"
-	sourcev1 "github.com/fluxcd/source-controller/api/v1beta1"
 
 	"github.com/fluxcd/flux2/pkg/manifestgen/install"
 )
@@ -253,90 +246,6 @@ func MakeDependsOn(deps []string) []dependency.CrossNamespaceDependencyReference
 	return refs
 }
 
-// GenerateKustomizationYaml is the equivalent of running
-// 'kustomize create --autodetect' in the specified dir
-func GenerateKustomizationYaml(dirPath string) error {
-	fs := filesys.MakeFsOnDisk()
-	kfile := filepath.Join(dirPath, "kustomization.yaml")
-
-	scan := func(base string) ([]string, error) {
-		var paths []string
-		uf := kunstruct.NewKunstructuredFactoryImpl()
-		err := fs.Walk(base, func(path string, info os.FileInfo, err error) error {
-			if err != nil {
-				return err
-			}
-			if path == base {
-				return nil
-			}
-			if info.IsDir() {
-				// If a sub-directory contains an existing kustomization file add the
-				// directory as a resource and do not decend into it.
-				for _, kfilename := range konfig.RecognizedKustomizationFileNames() {
-					if fs.Exists(filepath.Join(path, kfilename)) {
-						paths = append(paths, path)
-						return filepath.SkipDir
-					}
-				}
-				return nil
-			}
-			fContents, err := fs.ReadFile(path)
-			if err != nil {
-				return err
-			}
-			if _, err := uf.SliceFromBytes(fContents); err != nil {
-				return nil
-			}
-			paths = append(paths, path)
-			return nil
-		})
-		return paths, err
-	}
-
-	if _, err := os.Stat(kfile); err != nil {
-		abs, err := filepath.Abs(dirPath)
-		if err != nil {
-			return err
-		}
-
-		files, err := scan(abs)
-		if err != nil {
-			return err
-		}
-
-		f, err := fs.Create(kfile)
-		if err != nil {
-			return err
-		}
-		f.Close()
-
-		kus := kustypes.Kustomization{
-			TypeMeta: kustypes.TypeMeta{
-				APIVersion: kustypes.KustomizationVersion,
-				Kind:       kustypes.KustomizationKind,
-			},
-		}
-
-		var resources []string
-		for _, file := range files {
-			relP, err := filepath.Rel(abs, file)
-			if err != nil {
-				return err
-			}
-			resources = append(resources, relP)
-		}
-
-		kus.Resources = resources
-		kd, err := yaml.Marshal(kus)
-		if err != nil {
-			return err
-		}
-
-		return ioutil.WriteFile(kfile, kd, os.ModePerm)
-	}
-	return nil
-}
-
 func PrintTable(writer io.Writer, header []string, rows [][]string) {
 	table := tablewriter.NewWriter(writer)
 	table.SetHeader(header)

manifests/bases/helm-controller/kustomization.yaml

@@ -1,8 +1,8 @@
 apiVersion: kustomize.config.k8s.io/v1beta1
 kind: Kustomization
 resources:
-- https://github.com/fluxcd/helm-controller/releases/download/v0.8.0/helm-controller.crds.yaml
-- https://github.com/fluxcd/helm-controller/releases/download/v0.8.0/helm-controller.deployment.yaml
+- https://github.com/fluxcd/helm-controller/releases/download/v0.8.1/helm-controller.crds.yaml
+- https://github.com/fluxcd/helm-controller/releases/download/v0.8.1/helm-controller.deployment.yaml
 - account.yaml
 patchesJson6902:
 - target:

manifests/bases/kustomize-controller/kustomization.yaml

@@ -1,8 +1,8 @@
 apiVersion: kustomize.config.k8s.io/v1beta1
 kind: Kustomization
 resources:
-- https://github.com/fluxcd/kustomize-controller/releases/download/v0.9.1/kustomize-controller.crds.yaml
-- https://github.com/fluxcd/kustomize-controller/releases/download/v0.9.1/kustomize-controller.deployment.yaml
+- https://github.com/fluxcd/kustomize-controller/releases/download/v0.9.2/kustomize-controller.crds.yaml
+- https://github.com/fluxcd/kustomize-controller/releases/download/v0.9.2/kustomize-controller.deployment.yaml
 - account.yaml
 patchesJson6902:
 - target:

mkdocs.yml

@@ -50,6 +50,7 @@ nav:
      - Migrate from Flux v1: guides/flux-v1-migration.md
      - Migrate from Flux v1 image update automation: guides/flux-v1-automation-migration.md
      - Migrate from the Helm Operator: guides/helm-operator-migration.md
+     - FAQ: guides/faq-migration.md
   - Guides:
       - Installation: guides/installation.md
       - Manage Helm Releases: guides/helmreleases.md

pkg/manifestgen/kustomization/kustomization.go

@@ -0,0 +1,123 @@
+/*
+Copyright 2021 The Flux authors
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package kustomization
+
+import (
+	"io/ioutil"
+	"os"
+	"path/filepath"
+
+	"sigs.k8s.io/kustomize/api/k8sdeps/kunstruct"
+	"sigs.k8s.io/kustomize/api/konfig"
+	kustypes "sigs.k8s.io/kustomize/api/types"
+	"sigs.k8s.io/yaml"
+
+	"github.com/fluxcd/flux2/pkg/manifestgen"
+)
+
+func Generate(options Options) (*manifestgen.Manifest, error) {
+	kfile := filepath.Join(options.TargetPath, konfig.DefaultKustomizationFileName())
+	abskfile := filepath.Join(options.BaseDir, kfile)
+
+	scan := func(base string) ([]string, error) {
+		var paths []string
+		uf := kunstruct.NewKunstructuredFactoryImpl()
+		err := options.FileSystem.Walk(base, func(path string, info os.FileInfo, err error) error {
+			if err != nil {
+				return err
+			}
+			if path == base {
+				return nil
+			}
+			if info.IsDir() {
+				// If a sub-directory contains an existing Kustomization file add the
+				// directory as a resource and do not decent into it.
+				for _, kfilename := range konfig.RecognizedKustomizationFileNames() {
+					if options.FileSystem.Exists(filepath.Join(path, kfilename)) {
+						paths = append(paths, path)
+						return filepath.SkipDir
+					}
+				}
+				return nil
+			}
+			fContents, err := options.FileSystem.ReadFile(path)
+			if err != nil {
+				return err
+			}
+			if _, err := uf.SliceFromBytes(fContents); err != nil {
+				return nil
+			}
+			paths = append(paths, path)
+			return nil
+		})
+		return paths, err
+	}
+
+	if _, err := os.Stat(abskfile); err != nil {
+		abs, err := filepath.Abs(filepath.Dir(abskfile))
+		if err != nil {
+			return nil, err
+		}
+
+		files, err := scan(abs)
+		if err != nil {
+			return nil, err
+		}
+
+		f, err := options.FileSystem.Create(abskfile)
+		if err != nil {
+			return nil, err
+		}
+		f.Close()
+
+		kus := kustypes.Kustomization{
+			TypeMeta: kustypes.TypeMeta{
+				APIVersion: kustypes.KustomizationVersion,
+				Kind:       kustypes.KustomizationKind,
+			},
+		}
+
+		var resources []string
+		for _, file := range files {
+			relP, err := filepath.Rel(abs, file)
+			if err != nil {
+				return nil, err
+			}
+			resources = append(resources, relP)
+		}
+
+		kus.Resources = resources
+		kd, err := yaml.Marshal(kus)
+		if err != nil {
+			return nil, err
+		}
+
+		return &manifestgen.Manifest{
+			Path:    kfile,
+			Content: string(kd),
+		}, nil
+	}
+
+	kd, err := ioutil.ReadFile(abskfile)
+	if err != nil {
+		return nil, err
+	}
+	return &manifestgen.Manifest{
+		Path:    kfile,
+		Content: string(kd),
+	}, nil
+}

pkg/manifestgen/kustomization/options.go

@@ -0,0 +1,33 @@
+/*
+Copyright 2021 The Flux authors
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package kustomization
+
+import "sigs.k8s.io/kustomize/api/filesys"
+
+type Options struct {
+	FileSystem filesys.FileSystem
+	BaseDir    string
+	TargetPath string
+}
+
+func MakeDefaultOptions() Options {
+	return Options{
+		FileSystem: filesys.MakeFsOnDisk(),
+		BaseDir:    "",
+		TargetPath: "",
+	}
+}

pkg/manifestgen/sourcesecret/options.go

@@ -0,0 +1,74 @@
+/*
+Copyright 2021 The Flux authors
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package sourcesecret
+
+import (
+	"crypto/elliptic"
+)
+
+type PrivateKeyAlgorithm string
+
+const (
+	RSAPrivateKeyAlgorithm     PrivateKeyAlgorithm = "rsa"
+	ECDSAPrivateKeyAlgorithm   PrivateKeyAlgorithm = "ecdsa"
+	Ed25519PrivateKeyAlgorithm PrivateKeyAlgorithm = "ed25519"
+)
+
+const (
+	UsernameSecretKey   = "username"
+	PasswordSecretKey   = "password"
+	CAFileSecretKey     = "caFile"
+	CertFileSecretKey   = "certFile"
+	KeyFileSecretKey    = "keyFile"
+	PrivateKeySecretKey = "identity"
+	PublicKeySecretKey  = "identity.pub"
+	KnownHostsSecretKey = "known_hosts"
+)
+
+type Options struct {
+	Name                string
+	Namespace           string
+	Labels              map[string]string
+	SSHHostname         string
+	PrivateKeyAlgorithm PrivateKeyAlgorithm
+	RSAKeyBits          int
+	ECDSACurve          elliptic.Curve
+	PrivateKeyPath      string
+	Username            string
+	Password            string
+	CAFilePath          string
+	CertFilePath        string
+	KeyFilePath         string
+	TargetPath          string
+	ManifestFile        string
+}
+
+func MakeDefaultOptions() Options {
+	return Options{
+		Name:                "flux-system",
+		Namespace:           "flux-system",
+		Labels:              map[string]string{},
+		PrivateKeyAlgorithm: RSAPrivateKeyAlgorithm,
+		PrivateKeyPath:      "",
+		Username:            "",
+		Password:            "",
+		CAFilePath:          "",
+		CertFilePath:        "",
+		KeyFilePath:         "",
+		ManifestFile:        "secret.yaml",
+	}
+}

pkg/manifestgen/sourcesecret/sourcesecret.go

@@ -0,0 +1,187 @@
+/*
+Copyright 2021 The Flux authors
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package sourcesecret
+
+import (
+	"bytes"
+	"encoding/pem"
+	"fmt"
+	"io/ioutil"
+	"net"
+	"path"
+	"time"
+
+	cryptssh "golang.org/x/crypto/ssh"
+	corev1 "k8s.io/api/core/v1"
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	"sigs.k8s.io/yaml"
+
+	"github.com/fluxcd/pkg/ssh"
+
+	"github.com/fluxcd/flux2/pkg/manifestgen"
+)
+
+const defaultSSHPort = 22
+
+func Generate(options Options) (*manifestgen.Manifest, error) {
+	var err error
+
+	var keypair *ssh.KeyPair
+	switch {
+	case options.Username != "", options.Password != "":
+		// noop
+	case len(options.PrivateKeyPath) > 0:
+		if keypair, err = loadKeyPair(options.PrivateKeyPath); err != nil {
+			return nil, err
+		}
+	case len(options.PrivateKeyAlgorithm) > 0:
+		if keypair, err = generateKeyPair(options); err != nil {
+			return nil, err
+		}
+	}
+
+	var hostKey []byte
+	if keypair != nil {
+		if hostKey, err = scanHostKey(options.SSHHostname); err != nil {
+			return nil, err
+		}
+	}
+
+	var caFile []byte
+	if options.CAFilePath != "" {
+		if caFile, err = ioutil.ReadFile(options.CAFilePath); err != nil {
+			return nil, fmt.Errorf("failed to read CA file: %w", err)
+		}
+	}
+
+	var certFile, keyFile []byte
+	if options.CertFilePath != "" && options.KeyFilePath != "" {
+		if certFile, err = ioutil.ReadFile(options.CertFilePath); err != nil {
+			return nil, fmt.Errorf("failed to read cert file: %w", err)
+		}
+		if keyFile, err = ioutil.ReadFile(options.KeyFilePath); err != nil {
+			return nil, fmt.Errorf("failed to read key file: %w", err)
+		}
+	}
+
+	secret := buildSecret(keypair, hostKey, caFile, certFile, keyFile, options)
+	b, err := yaml.Marshal(secret)
+	if err != nil {
+		return nil, err
+	}
+
+	return &manifestgen.Manifest{
+		Path:    path.Join(options.TargetPath, options.Namespace, options.ManifestFile),
+		Content: fmt.Sprintf("---\n%s", resourceToString(b)),
+	}, nil
+}
+
+func buildSecret(keypair *ssh.KeyPair, hostKey, caFile, certFile, keyFile []byte, options Options) (secret corev1.Secret) {
+	secret.TypeMeta = metav1.TypeMeta{
+		APIVersion: "v1",
+		Kind:       "Secret",
+	}
+	secret.ObjectMeta = metav1.ObjectMeta{
+		Name:      options.Name,
+		Namespace: options.Namespace,
+	}
+	secret.Labels = options.Labels
+	secret.StringData = map[string]string{}
+
+	if options.Username != "" || options.Password != "" {
+		secret.StringData[UsernameSecretKey] = options.Username
+		secret.StringData[PasswordSecretKey] = options.Password
+	}
+
+	if caFile != nil {
+		secret.StringData[CAFileSecretKey] = string(caFile)
+	}
+
+	if certFile != nil && keyFile != nil {
+		secret.StringData[CertFileSecretKey] = string(certFile)
+		secret.StringData[KeyFileSecretKey] = string(keyFile)
+	}
+
+	if keypair != nil && hostKey != nil {
+		secret.StringData[PrivateKeySecretKey] = string(keypair.PrivateKey)
+		secret.StringData[PublicKeySecretKey] = string(keypair.PublicKey)
+		secret.StringData[KnownHostsSecretKey] = string(hostKey)
+	}
+
+	return
+}
+
+func loadKeyPair(path string) (*ssh.KeyPair, error) {
+	b, err := ioutil.ReadFile(path)
+	if err != nil {
+		return nil, fmt.Errorf("failed to open private key file: %w", err)
+	}
+
+	block, _ := pem.Decode(b)
+	if block == nil {
+		return nil, fmt.Errorf("failed to decode PEM block")
+	}
+
+	ppk, err := cryptssh.ParsePrivateKey(block.Bytes)
+	if err != nil {
+		return nil, err
+	}
+
+	return &ssh.KeyPair{
+		PublicKey:  cryptssh.MarshalAuthorizedKey(ppk.PublicKey()),
+		PrivateKey: b,
+	}, nil
+}
+
+func generateKeyPair(options Options) (*ssh.KeyPair, error) {
+	var keyGen ssh.KeyPairGenerator
+	switch options.PrivateKeyAlgorithm {
+	case RSAPrivateKeyAlgorithm:
+		keyGen = ssh.NewRSAGenerator(options.RSAKeyBits)
+	case ECDSAPrivateKeyAlgorithm:
+		keyGen = ssh.NewECDSAGenerator(options.ECDSACurve)
+	case Ed25519PrivateKeyAlgorithm:
+		keyGen = ssh.NewEd25519Generator()
+	default:
+		return nil, fmt.Errorf("unsupported public key algorithm: %s", options.PrivateKeyAlgorithm)
+	}
+	pair, err := keyGen.Generate()
+	if err != nil {
+		return nil, fmt.Errorf("key pair generation failed, error: %w", err)
+	}
+	return pair, nil
+}
+
+func scanHostKey(host string) ([]byte, error) {
+	if _, _, err := net.SplitHostPort(host); err != nil {
+		// Assume we are dealing with a hostname without a port,
+		// append the default SSH port as this is required for
+		// host key scanning to work.
+		host = fmt.Sprintf("%s:%d", host, defaultSSHPort)
+	}
+	hostKey, err := ssh.ScanHostKey(host, 30*time.Second)
+	if err != nil {
+		return nil, fmt.Errorf("SSH key scan for host %s failed, error: %w", host, err)
+	}
+	return bytes.TrimSpace(hostKey), nil
+}
+
+func resourceToString(data []byte) string {
+	data = bytes.Replace(data, []byte("  creationTimestamp: null\n"), []byte(""), 1)
+	data = bytes.Replace(data, []byte("status: {}\n"), []byte(""), 1)
+	return string(data)
+}

pkg/manifestgen/sync/options.go

@@ -26,6 +26,7 @@ type Options struct {
 	Name              string
 	Namespace         string
 	Branch            string
+	Secret            string
 	TargetPath        string
 	ManifestFile      string
 	GitImplementation string
@@ -38,6 +39,7 @@ func MakeDefaultOptions() Options {
 		Name:              "flux-system",
 		Namespace:         "flux-system",
 		Branch:            "main",
+		Secret:            "flux-system",
 		ManifestFile:      "gotk-sync.yaml",
 		TargetPath:        "",
 		GitImplementation: "",

pkg/manifestgen/sync/sync.go

@@ -53,7 +53,7 @@ func Generate(options Options) (*manifestgen.Manifest, error) {
 				Branch: options.Branch,
 			},
 			SecretRef: &meta.LocalObjectReference{
-				Name: options.Name,
+				Name: options.Secret,
 			},
 			GitImplementation: options.GitImplementation,
 		},